On 20/06/2013 6:51 a.m., Ahmed Talha Khan wrote:
Does squid support SSL session reuse? If so then is it based on the
older ssl session_identifiers or the TLS ticket scheme?
Maybe, and Unknown.
The next question is that if it does support the session reuse, how is
the session cache maintained by squid?
Squid does not maintain SSL session cache. Squid simply relays details
to and from OpenSSL. What happens in there is up to yoru OpenSSL lirary
configuration.
Squid ss_crtd and validator features maintains a cache of *certificates*
which have been generated or seen in the current traffic.
Also will the session reuse functionality be available both between
client-squid and squid-orginserver.
No. client-squid and squid-origin traffic is unrelated. HTTP/1.1
contains multiplexing which means any request may arrive in any client
connection and go out any suitable server connection.
I am looking at forward proxy mode
In normal forward-proxy mode there are two ways Squid handles SSL.
A) CONNECT method. An opaque binary stream of data between the client
and server. Squid does not touch this in any way**.
B) SSL connection direct to the proxy. The SSL is decrypted using the
confugured serve cert and the result is plaintext HTTP requests for
https:// URLs, handled normally inside the proxy.
** except when SSL-bumping - in which case it unwraps the CONNECT and
decrypts the SSL exactly as if it has been received on an https_port -
the handling of (B) then applies.
Amos
